HHS Proposes Changes to HIPAA Security Rule to Strengthen Cybersecurity in Healthcare

(Reposted from COSECURE )

On January 6, 2025, the U.S. Department of Health and Human Services (HHS) published a Notice of Proposed Rulemaking (NPRM) outlining significant updates to the HIPAA Security Rule. These changes aim to enhance cybersecurity, improve patient data protection, and ensure healthcare organizations are prepared to mitigate the growing threat of cyberattacks.

Given the 92% increase in cyberattacks on healthcare entities in 2024, these proposed updates seek to reduce business disruptions, protect patient information, and strengthen compliance requirements. The changes will require significant adjustments from healthcare organizations as they work toward compliance.

To understand the potential impact, we consulted Drew Neckar , a healthcare security executive and Principal Consultant at COSECURE Enterprise Risk Solutions, and Stig Ravdal Ravdal, CEO of Ravdal Security Consulting, to provide insight into the most impactful changes.

Who Is Affected? Understanding Covered Entities

The proposed HIPAA updates apply to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses that electronically transmit protected health information (PHI).

Definition of Covered Entities

Covered entities must comply with HIPAA because they handle sensitive patient health data. They include:

• Healthcare Providers: Doctors, hospitals, nursing homes, and pharmacies that transmit health data electronically.
• Health Plans: Health insurers, HMOs, and government health programs like Medicare and Medicaid.
• Healthcare Clearinghouses: Entities that process or facilitate electronic health information, such as billing services and data intermediaries.

These entities must prioritize cybersecurity measures to comply with the new requirements and protect PHI.

Background: Strengthening HIPAA Over Time

The HIPAA Security Rule has evolved through several legislative updates, including:

• HITECH Act (2009): Introduced breach notification requirements and expanded the definition of business associates to include subcontractors.
• Omnibus Rule (2013): Strengthened privacy protections, clarified Business Associate Agreements (BAAs), and increased penalties for non-compliance.
• Final Rule on Breach Notification (2013): Set clear breach reporting and notification requirements standards.
• Compliance Updates (2020-2021): Addressed new technologies, telehealth, and interoperability, especially in response to COVID-19.

The newly proposed 2025 updates further strengthen data security, access controls, and compliance obligations for covered entities.

Key Changes in the Proposed HIPAA Security Rule

The proposed changes require implementation of a number of technical and procedural safeguards for organizations’ data systems that may not already be in place.? The proposed rule also includes changes to physical security policies under §164.310 Physical Safeguards. These changes may require significant time and effort for organizations to implement, some of them that we anticipate to be most challenging include:

• Multi-Factor Authentication (MFA) Becomes Mandatory

Covered entities must implement MFA with limited exceptions. This requirement may be costly and complex, particularly for organizations with legacy systems. Additionally, it will require staff training to ensure proper implementation.

• Regular Cybersecurity Testing

Organizations must conduct:

Vulnerability Scanning at least every six months

Penetration Testing at least once per year

This change requires investments in technology, personnel, and remediation efforts, which could be challenging for organizations with limited IT security resources.

• Encryption of PHI at Rest and in Transit

All electronic protected health information (ePHI) must be encrypted both at rest and in transit, with very few exceptions. Many organizations will need to invest in new encryption technologies, which could be costly.

• Physical Security Plans Must Be Documented

Organizations must have formal policies detailing what physical security measures they have implemented to protect their PHI and the systems it resides on.

• Documentation of Physical Security Changes is Required

Every modification, repair, or update to physical security systems (e.g., locks, cameras, access controls) must be formally tracked and documented.

• Annual Physical Security Audits & Testing

Organizations must ensure they are following the protection plans that they have documented in their plans.

Organizations must also review and test these security measures at least every 12 months.

This testing should include penetration testing to assess physical vulnerabilities and identify potential gaps that would allow a criminal to inappropriately access protected components of the information systems.

• Expanded Definition of "Workstation"

Handheld devices (phones, tablets) accessing PHI must be protected similarly to laptops and desktops.

Timeline For Final Rule & Compliance

The public comment period for the proposed rule ends on March 7, 2025, after which a Final Rule will be published by HHS once any comments have been considered.

Once the final rule is published, it will most likely:

• Take effect 60 days later
• Require organizations to comply within 180 days

With a timeline of only six (6) to nine (9) months, healthcare organizations must act now and start preparing now to avoid non-compliance risks.

What Organizations Should Do Now

1. Conduct a Risk Assessment & Gap Analysis

• Identify areas not meeting the proposed security requirements.
• Determine budget needs for necessary technology investments.

2. Develop an Implementation Plan

• Outline specific steps, timelines, and responsible individuals for meeting compliance goals.
• Identify changes which may require non-approved budget.

3. Start Implementing Changes

• Enhance security protocols before the final rule is enforced.
• Modify processes that can be adjusted without major cost implications.

4. Review & Update Policies & Procedures

• Conduct an early policy review to ensure alignment with new security requirements.
• Identify the areas that are most affected by the change, propose the policy changes and ensure they align with Implementation Plan.
• Update your Business Associates Agreement (BAA) and send out notices about changes coming. Note: This is a great time to get BAAs updated with all 3rd parties.

5. Secure Funding for Compliance

• Prepare budget requests for technology, staff training, and compliance tools.
• Identify current budgeted projects that may be re-prioritized, or postponed to meet the new requirements.

6. Educate Leadership & Staff

• Inform the C-suite and management teams about new compliance risks and requirements.
• Take the initiative, if you haven’t already, to establish a cyber risk steering committee using the rule changes as the justification to setup meetings (but keep them going after).

7. Strengthen Vendor & Partner Relationships

• Ensure third-party partners are HIPAA-compliant.
• Begin communications with 3rd parties about the changes. Notify them of the new BAA coming, and ensure any outstanding issues are also addressed.

Final Thoughts: Preparing for the Future

With these sweeping changes, healthcare organizations must act now to avoid last-minute compliance challenges. By investing in security measures, updating policies, and engaging leadership early, organizations can minimize disruption and ensure they are ready when the final rule takes effect.

For more information on preparing, consider consulting with HIPAA compliance experts, cybersecurity, and physical security professionals to ensure your organization remains secure and compliant.